About this list Date view Thread view Subject view Author view Attachment view

From: Stefan van der Eijk (stefan_at_eijk.nu)
Date: Sun 05 May 2002 - 22:19:04 BST


Hi,

I'm trying to get the CTX patch to work with Mandrake's development
kernels. While applying the patch I noticed that the CTX patch conflicts
with an earlier applied patch (the gr security patch, see
http://www.grsecurity.org/ ). Before I continue trying to figure things
out I've got a few questions:
- If somebody wants to run the kernel without CTX functionality, will a
CTX enabled kernel have any disadvantages against a normal kernel?
- Are you planning to make configureable kernel options for the CTX
functionality?
- Does the GR security functionality conflict with CTX?
- Is there a smart way to merge GR security and CTX patches?

I've tried to merge the CTX patch, the resulting diff of the original
patch is attached to this email.

kind regards,

Stefan van der Eijk

Parts where conflicts are found:

$ less ./fs/proc/base.c.rej
***************
*** 1019,1022 ****
                if (!pid)
                        continue;
                if (--index >= 0)
                        continue;
--- 1025,1041 ----
                if (!pid)
                        continue;
+ /* Even if the pid 1 is not part of the security context */
+ /* we show it anyway. This makes the security box */
+ /* more standard (and helps pstree do its job) */
+ /* So current process "knows" pid 1 exist anyway and
can't */
+ /* send any signal either */
+
+ /* A process with security context 1 can see all
processes */
+ if (pid != 1
+ && current->s_context != 1
+ && p->s_context != current->s_context) continue;
+ /* We hide the fakeinit process since we show it as
process 1 */
+ if (current->s_info != NULL
+ && current->s_info->initpid == pid) continue;
                if (--index >= 0)
                        continue;

$ less ./fs/proc/base.c
                if (!pid)
                        continue;
#ifdef CONFIG_GRKERNSEC_ACL
                        if(gr_check_hidden_task(p))
                                continue;
#endif
                if (--index >= 0)
                        continue

=====================================================================================
$ less ./kernel/signal.c.rej
***************
*** 593,597 ****
                read_lock(&tasklist_lock);
                for_each_task(p) {
! if (p->pgrp == pgrp) {
                                int err = send_sig_info(sig, info, p);
                                if (retval)
--- 593,599 ----
                read_lock(&tasklist_lock);
                for_each_task(p) {
! if (p->pgrp == pgrp
! && ((long)info==1
! || p->s_context ==
current->s_context)) {
                                int err = send_sig_info(sig, info, p);
                                if (retval)
***************
*** 640,645 ****
        p = find_task_by_pid(pid);
        error = -ESRCH;
! if (p)
! error = send_sig_info(sig, info, p);
        read_unlock(&tasklist_lock);
        return error;
--- 642,663 ----
        p = find_task_by_pid(pid);
        error = -ESRCH;
! if (p != NULL){
! switch((unsigned long)info) {
! case 0:
! if(p->s_context == current->s_context){
! error = send_sig_info(sig, info, p);
! }
! break;
! case 1:
! error = send_sig_info(sig, info, p);
! break;
! default:
! if( info->si_code == SI_KERNEL
! || p->s_context == current->s_context){
! error = send_sig_info(sig, info, p);
! }
! break;
! }
! }
        read_unlock(&tasklist_lock);
        return error;
***************
*** 664,668 ****
                read_lock(&tasklist_lock);
                for_each_task(p) {
! if (p->pid > 1 && p != current) {
                                int err = send_sig_info(sig, info, p);
                                ++count;
--- 682,686 ----
                read_lock(&tasklist_lock);
                for_each_task(p) {
! if (p->pid > 1 && p != current && p->s_context
== current->s_context) {
                                int err = send_sig_info(sig, info, p);
                                ++count;

=====================================================================================
$ less ./kernel/sys.c.rej
***************
*** 1116,1119 ****
  {
        int errno;
 
        if (!capable(CAP_SYS_ADMIN))
--- 1186,1190 ----
  {
        int errno;
+ char *domainname;
 
        if (!capable(CAP_SYS_ADMIN))

=====================================================================================
$ less ./Makefile.rej
***************
*** 2,6 ****
  PATCHLEVEL = 4
  SUBLEVEL = 18
! EXTRAVERSION =
 
  KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
--- 2,6 ----
  PATCHLEVEL = 4
  SUBLEVEL = 18
! EXTRAVERSION =ctx-10
 
  KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)

less ./Makefile
PATCHLEVEL = 4
SUBLEVEL = 19
EXTRAVERSION = -pre6

KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)

=====================================================================================

--- patch-2.4.18ctx-10.orig 2002-04-15 19:28:22.000000000 +0200
+++ patch-2.4.18ctx-10 2002-05-05 23:13:38.000000000 +0200
@@ -5,13 +5,13 @@
 *** 2,6 ****
   PATCHLEVEL = 4
   SUBLEVEL = 18
-! EXTRAVERSION =
+! EXTRAVERSION = -pre6
   
   KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
 --- 2,6 ----
   PATCHLEVEL = 4
   SUBLEVEL = 18
-! EXTRAVERSION =ctx-10
+! EXTRAVERSION = pre6-ctx-10
   
   KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
 diff -rc2P linux-2.4.18/arch/i386/kernel/entry.S linux-2.4.18ctx-10/arch/i386/kernel/entry.S
@@ -758,25 +758,26 @@
   
           dentry->d_op = &pid_base_dentry_operations;
 ***************
-*** 1019,1022 ****
---- 1025,1041 ----
- if (!pid)
- continue;
-+ /* Even if the pid 1 is not part of the security context */
-+ /* we show it anyway. This makes the security box */
-+ /* more standard (and helps pstree do its job) */
-+ /* So current process "knows" pid 1 exist anyway and can't */
-+ /* send any signal either */
-+
-+ /* A process with security context 1 can see all processes */
-+ if (pid != 1
-+ && current->s_context != 1
-+ && p->s_context != current->s_context) continue;
-+ /* We hide the fakeinit process since we show it as process 1 */
-+ if (current->s_info != NULL
-+ && current->s_info->initpid == pid) continue;
- if (--index >= 0)
- continue;
+*** 1095,1098 ****
+--- 1095,1111 ----
+ if (!pid)
+ continue;
++ /* Even if the pid 1 is not part of the security context */
++ /* we show it anyway. This makes the security box */
++ /* more standard (and helps pstree do its job) */
++ /* So current process "knows" pid 1 exist anyway and can't */
++ /* send any signal either */
++
++ /* A process with security context 1 can see all processes */
++ if (pid != 1
++ && current->s_context != 1
++ && p->s_context != current->s_context) continue;
++ /* We hide the fakeinit process since we show it as process 1 */
++ if (current->s_info != NULL
++ && current->s_info->initpid == pid) continue;
+ #ifdef CONFIG_GRKERNSEC_ACL
+ if(gr_check_hidden_task(p))
+ continue;
 diff -rc2P linux-2.4.18/fs/udf/inode.c linux-2.4.18ctx-10/fs/udf/inode.c
 *** linux-2.4.18/fs/udf/inode.c Tue Feb 26 22:22:08 2002
 --- linux-2.4.18ctx-10/fs/udf/inode.c Tue Feb 26 22:31:23 2002
@@ -1351,14 +1352,13 @@
 + }
                   read_unlock(&tasklist_lock);
                   spin_lock_irq(&runqueue_lock);
-diff -rc2P linux-2.4.18/kernel/signal.c linux-2.4.18ctx-10/kernel/signal.c
 *** linux-2.4.18/kernel/signal.c Fri Nov 23 15:07:52 2001
 --- linux-2.4.18ctx-10/kernel/signal.c Tue Feb 26 22:31:23 2002
 ***************
 *** 593,597 ****
                   read_lock(&tasklist_lock);
                   for_each_task(p) {
-! if (p->pgrp == pgrp) {
+! if (p->pgrp == pgrp && thread_group_leader(p)) {
                                   int err = send_sig_info(sig, info, p);
                                   if (retval)
 --- 593,599 ----
@@ -1370,17 +1370,31 @@
                                   int err = send_sig_info(sig, info, p);
                                   if (retval)
 ***************
-*** 640,645 ****
+*** 712,717 ****
           p = find_task_by_pid(pid);
           error = -ESRCH;
-! if (p)
-! error = send_sig_info(sig, info, p);
- read_unlock(&tasklist_lock);
- return error;
---- 642,663 ----
+! if (p) {
+ #ifdef CONFIG_GRKERNSEC_ACL
+ if( !(gr_check_protected_task(p)) || current->pid == 1)
+ #endif
+--- 712,718 ----
           p = find_task_by_pid(pid);
           error = -ESRCH;
-! if (p != NULL){
+! if (p != NULL)
+ #ifdef CONFIG_GRKERNSEC_ACL
++ {
+ if( !(gr_check_protected_task(p)) || current->pid == 1)
+ #endif
+***************
+*** 723,727 ****
+ p = tg;
+ }
+! error = send_sig_info(sig, info, p);
+ }
+ }
+--- 724,742 ----
+ p = tg;
+ }
 ! switch((unsigned long)info) {
 ! case 0:
 ! if(p->s_context == current->s_context){
@@ -1396,21 +1410,19 @@
 ! error = send_sig_info(sig, info, p);
 ! }
 ! break;
-! }
-! }
- read_unlock(&tasklist_lock);
- return error;
+ }
+ }
 ***************
-*** 664,668 ****
- read_lock(&tasklist_lock);
- for_each_task(p) {
-! if (p->pid > 1 && p != current) {
+*** 766,770 ****
+ if(!(gr_check_protected_task(p) || current->pid == 1))
+ #endif
+! if (p->pid > 1 && p != current && thread_group_leader(p)) {
                                   int err = send_sig_info(sig, info, p);
                                   ++count;
---- 682,686 ----
- read_lock(&tasklist_lock);
- for_each_task(p) {
-! if (p->pid > 1 && p != current && p->s_context == current->s_context) {
+--- 766,770 ----
+ if(!(gr_check_protected_task(p) || current->pid == 1))
+ #endif
+! if (p->pid > 1 && p != current && thread_group_leader(p) && p->s_context == current->s_context) {
                                   int err = send_sig_info(sig, info, p);
                                   ++count;
 ***************
@@ -1727,8 +1739,8 @@
                   errno = -EFAULT;
           up_read(&uts_sem);
 ***************
-*** 1066,1069 ****
---- 1136,1140 ----
+*** 1268,1271 ****
+--- 1268,1272 ----
   {
           int errno;
 + char *domainname;


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:40 GMT by hypermail 2.1.3